I see a few issues going on here. First you are taking in parameters to build a dynamic string and you going to end up executing that dynamic sql with no parameters. This is vulnerable to sql injection.
Your big line of dynamic sql has a lot of errors in it.
select @sql = @sql + 'and ','+REPLACE(@system_Status,'','')+',' LIKE '%,'+system_Status+',%''
I think that line should be something like this:
select @sql = @sql + 'and REPLACE(' + @system_Status + ','''','''') LIKE ''%'' + system_Status + ''%'''
You have a replace statement that is used that is doing nothing. Your replace statement is: REPLACE(@system_Status,'','')
Here you are finding nothing and replacing it with nothing. Not sure what you are trying to do there but this isn't going to do anything.
The query you have built is nonSARGable because you have like % VALUE %. That means it will have to scan each and every row to see if meets the criteria.
I think that what you are trying to do here is process a query with a comma delimited list of values? The best approach to this is to first parse that string and then do your evaluations.
You should read the article in my signature about splitting strings. You might also want to take a look at the first link in my signature for best practices when posting questions.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/